Thursday, July 2, 2009

NSA, USCERT, EINSTEIN, TIC, Telecom Providers and the Future of Government Information Security

Today Ellen Nakashima of The Washington Post published an article about DHS USCERT, NSA and Telecommunications providers collaborating to monitor Civilian Agency Internet traffic using DHS's planned Einstein 3 tool to help defend these civilian government entities. The article correctly illustrates that NSA has the expertise and tools like Tutelage to know more about the context of the attacks. It also states that DHS has the authorization to monitor using Einstein (enforced by the TIC program). If you'll remember a while back I talked about Trusted Internet Connection (TIC) and its role in consolidating Internet points of presence and providing chokepoints to monitor and defend for the government.
For reference see: and

In short, TIC mandated government agencies to meet very stringent requirements in order to become a TICAP (provider) or use pre-approved TICAP's (Telecom or other Agency) for all Internet traffic. The monitoring capabilities of these TIC's is referenced in my earlier posts, but let's just say its EVERYTHING. Not that I'm complaining, from a capabilities perspective I think NSA and Cyber Command should be making the most out of this information to help protect the government and as Richard Bejtlich speculates eventually ".com" . NSA has the expertise and intelligence data while DHS has the authorization to monitor, the framework to force everyone to play (TIC) and a toolset that is evolving (Einstein v2 is still being rolled out, v3 is in development) On a side note, I do have to wonder why the government isn't using more capable tools like NetWitness or Solera in conjunction with NSA tools and building a META SIEM to incorporate Intelligence feeds, but that's a topic for a later post.

My biggest question is this.... I wonder how US-CERT and NSA are going to collaborate more effectively - Is Einstein raw data going to be handled by NSA, if so what's the point of US-CERT in the future?

Should be interesting to see what happens once the cyber czar is appointed, from what I can tell his/her kingdom has already layed a very clear path forward, the czar may simply be along for the ride while NSA drives over everyone else.

Update 1: (3 July 2009; 0930 EDT) SIOBHAN GORMAN of The Wall Street Journal also has an article on this topic "Troubles Plague Cyberspy Defense" . In this article takes more conservative approach in describing what is happening across government with regards to consolidated monitoring. According to the article Einstein v3 will be updated/rebuilt to more closely align with NSA Tutelage and is at least 18 months out. The idea is that it would start to develop full packet inspection capabilities (Like NetWitness, Solera and a few others).

My Notes: If this perspective is more accurate it seems US-CERT would monitor using technology enabled by NSA, instead of NSA accomplishing the monitoring. IMHO - From what I've seen certain executive layers at DHS have not enabled the US-CERT to be effective enough to actually function as a true analytical center, even though USCERT has some very good people capable of executing on that misson. In fact, I'd go as far as to say DHS is at risk of losing key staff if they don't figure out a better way to enable their team. The place is known as a revolving door for a reason, the people they hire are very capable and motivated, the organization itself may not be best suited for that expertise and vision.

No comments: